Lattigo: a Multiparty Homomorphic Encryption Library inGo

Christian Mouchet Jean-Philippe Bossuat [email protected] [email protected] EPFL EPFL Juan Troncoso-Pastoriza Jean-Pierre Hubaux [email protected] [email protected] EPFL EPFL ABSTRACT Table 1: The .com/ldsec/lattigo/v2 Go module We present and demo of Lattigo, a multiparty homomorphic en- lattigo/ring provides the RNS (Residue Number Sys- cryption library in Go. After a brief introduction of the origin and tem) modular arithmetic over the ring 푑 history of the library, we dive into the most relevant technical as- Z푄 [푋]/(푋 + 1) with 푑 a power of two. This pects that differentiate Lattigo from other existing libraries. From includes: RNS basis extension, RNS division, the cryptographic research perspective, we describe our realiza- number theoretic transform (NTT), and uni- tion of the keyswitch and CKKS bootstrapping operations. We form, Gaussian and ternary sampling. also present our approach to multiparty homomorphic encryption lattigo/bfv implements the Full-RNS, scale-invariant and its importance for Lattigo use-cases. From the per- scheme of Brakerski, Fan and Vercauteren 푑 spective, we elaborate on the choice of the Go language and the (BFV) [5, 12, 14]; it supports Z푝 arithmetic. benefits it brings to application developers who use the library. lattigo/ckks implements the Full-RNS scheme of Cheon et We then present performance benchmarks and the main use-case al. [10, 11] (CKKS, a.k.a. HEAAN), that sup- applications the library had so far. The last part of the presentation ports approximate arithmetic over C푑/2. This comprises a tutorial on how to use Lattigo to build a "toy" use-case: package features a bootstrapping procedure. a privacy-preserving web-application for scheduling meetings. lattigo/dbfv implements the local operations for mul- tiparty key-generation and key-switching 1 INTRODUCTION functionalities for the BFV scheme [19]. lattigo/dckks implements the local operations for mul- Homomorphic Encryption (HE) techniques are becoming increas- tiparty key-generation and key-switching ingly popular. This is reflected in a growing number of crypto- functionalities for the CKKS scheme [19]. graphic libraries that implement efficient instantiations, and in the current process for standardization of HE [3]. Traditionally, HE schemes are used in a two-party setting comprising a data-holder by featuring built-in concurrency primitives, extensive standard libraries and comprehensive toolchains for building, testing and party 푃1 that sends its encrypted input data 푥푃1 to an external party analyzing code. In this demo, we present the Lattigo library, a Go 푃2, which can compute any polynomial function 푓 (푥푃1 ) over the scheme’s plaintext space, and then sends the encrypted result back module for -LWE-based multiparty homomorphic encryption. to party 푃1 for decryption. In the passive-adversary model, this simple protocol can achieve secure two-party computations. 2 LIBRARY OVERVIEW The aforementioned setting can be extended to 푁 parties through the use of Multiparty Homomorphic Encryption (MHE) techniques Lattigo is a Go module that contains the packages listed in Table 1. such as multi-key-HE (MKHE) [9, 18] and threshold-HE (Th-HE) Genesis. The development of Lattigo started in March 2019 as a [4, 19]. In such schemes, the involved parties collectively (hence, part of our research on multiparty homomorphic encryption (MHE) interactively) enforce the access control to the data by distributing and secure multiparty computation. In addition to the scientific the scheme’s decryption circuit. Mouchet et al. proposed a threshold interest in being able to quickly integrate our research results into version of BFV and showed that its use as a secure-multiparty- a code-base for their empirical evaluation, we saw an opportunity computation (MPC) solution is, for several generic circuits, faster to benefit the community by bringing HE to a new programming and has less communication overhead than LSSS-based MPC in language: Go. Our group currently uses Go for the implementation the same adversary model [19]. Thus, there is a great interest in of several applied research projects. As these systems transitioned building concrete MPC systems that can employ MHE schemes. from proof-of-concept implementations to real-world prototypes Such systems, by nature, are highly interactive, concurrent and deployed in operational settings, the need for a cryptographic layer cross-platform. For this reason, implementing them may represent supporting MHE became essential. a significant investment in terms of time and effort when using Scope and interface principles. For each scheme, the corre- C++, which most of the state-of-the-art HE libraries are using. More sponding package implements the cryptographic objects and the recent languages, such as Go [1], greatly reduce this effort, notably local operations on these objects. These local operations are de- fined as exported Go interface types (e.g., bfv.Encryptor) for WAHC’20, 15 Dec. 2020, Online which implementations are provided as methods (e.g., Encrypt(*)) . of context-specific objects (e.g., skEncryptor, pkEncryptor) that 1 WAHC’20, 15 Dec. 2020, Online Christian Mouchet, Jean-Philippe Bossuat, Juan Troncoso-Pastoriza, and Jean-Pierre Hubaux encapsulate the cryptographic parameters, temporary buffers and 150 pre-computations. As of version v2.1.0, Lattigo provides a single- 213.5 threaded implementation of its API and all types assume single- threaded use. Therefore, the API user controls the concurrency aspects of its application. 100 Support for Multiparty Access Structures. At the time of 13 Throughput

time [sec] 2 writing, the dbfv and dckks packages implement the 푁 -out-of-푁 - Key-size )/

Threshold access structure of Mouchet et al. [19] (we elaborate on 푄 ( Throughput 50 this scheme in Section 2.2). Key-size [MB] log

212.5 2.1 Cryptographic Optimizations and Features 0 We summarize the features in Lattigo that are relevant from a 1 2 3 4 5 6 7 8 cryptographic-research standpoint. 훼 Standalone Arithmetic Layer. The library exposes most of Number of Special Primes its polynomial arithmetic layer in the lattigo/ring sub-package. This package is implemented in pure Go and features a wide range Figure 1: Comparison of the public key-switch operation of low-level optimized algorithms, with a minimal, unexported use throughput (in ciphertext-bits/sec.) and public switching- of the unsafe package (that enables pointer arithmetic) and with- key size in Lattigo v2.1.0 for 푑 = 215 and variable 1 ≤ 훼 ≤ 8 out any dependency on external numerical libraries. This includes and 퐿 = 16 − 훼. Montgomery-form arithmetic, ring operations, Number Theoretic Transforms (NTT), evaluation of automorphisms, RNS bases exten- sions and scaling, and sampling of Gaussian, uniform and ternary distributions. Hence, it can be used to build and evaluate other Table 2: CKKS Bootstrapping Parameters. 푑 is the ring de- R-LWE based FHE schemes and primitives. gree, ℎ is the number of non-zero coefficients in the secret- ( ) ( ) Generalized Keyswitch Procedure. For both the BFV and key, log 푄 bit-size of the ciphertext modulus, log 푃 is the CKKS schemes, Lattigo uses a generalization of the keyswitch pro- bit-size of the key-switching decomposition-basis (the secu- ( ) cedure proposed by Han and Ki [15], which lets the user specify the rity is based on log 푄푃 ) and 퐶 the ciphertext modulus con- norm of the decomposition-basis 푃 used during the key-switching. sumption by bootstrapping (in bits). Hence, the parameters can be represented as a triplet {푑, 퐿, 훼}, Set 푑 ℎ log(푄) log(푃) 퐶 where 푑 is the ring degree, 퐿 is the number of ciphertext moduli Best of [8] 1240 1240 1057 64 (prime factors of 푄) and 훼 is the number of special primes for the Best of [15] 1270 182 900 216 key-switching (prime factors of 푃). Even though it introduces an ad- II 192 1248 305 743 ditional (yet optional) parameter, we observed that giving the user III 215 1416 366 956 the ability to tune the trade-off (indeed, the size of 푄푃 is capped by the security parameter) between homomorphic-capacity and Lattigo is the second library to feature an open-source implementa- keyswitch complexity results in great throughput gains. We com- tion of a bootstrapping circuit for the CKKS scheme and the first pared the homomorphic throughput of the keyswitch procedure one to make such implementation available for the Full-RNS vari- along with the size of the public switch-key for several values of 훼 15 ant of the scheme. Compared to the current state-of-the-art, the using the parameters {2 , 16 − 훼, 훼}, i.e. for a fixed modulus size procedure is both more efficient and more precise (as shown in 푄푃, the number of primes between 푄 and 푃 varies. Figure 1 shows Figure 2), and it does not require the use of sparse secret keys. that, by increasing 훼 to 4, we get a 2× increase in throughput and a Homomorphic Polynomial Evaluation. The lattigo/ckks 5× decrease in the key-size. This shows that, in terms of throughput, package provides a scale-invariant and depth-optimal polynomial the loss in homomorphic capacity is more than compensated by evaluation algorithm, for both the standard and the Chebyshev the run-time reduction. bases. It allows the user to provide the clear-text polynomial coeffi- We also further optimized the keyswitch-key format and keyswitch cient and a desired output scale, and it recursively back-propagates algorithm for the evaluation of automorphisms such as rotations, it to ensure that all rescalings in the evaluation are exact (as de- as proposed by Bossuat et al. [7]. scribed in more details by Bossuat et al. [7]). Novel BFV Quantization. Even in its RNS variant, [5, 14], the BFV homomorphic multiplication is an expensive operation be- cause it requires the use of a secondary and temporary basis [12]. 2.2 Multiparty Homomorphic Encryption Lattigo takes a novel approach to this operation, by adapting the MHE has a great potential as a generic secure multiparty computa- RNS-friendly quantization techniques proposed in original full- tion (MPC) solution thanks to its low communication requirements RNS variant of the CKKS scheme [10]. See Section 4 for benchmark and versatility. However, whereas traditional Linear Shamir Secret comparisons. Sharing (LSSS)-based generic MPC protocols are implemented in CKKS Bootstrapping. The Lattigo library comprises an imple- several, well-established libraries, MHE-based solutions have been mentation of the CKKS bootstrapping from Bossuat et al. [7]. Hence, implemented mainly for specific computations. One of the main 2 Lattigo: a Multiparty Homomorphic Encryption Library inGo WAHC’20, 15 Dec. 2020, Online

1 · 106 ) Best of [8] 215 Best of [15] Set II

CPU time Set III 214

)/( 5

퐶 5 · 10

) − 215 푄 Throughput 14 14 ( 2 2 10 214 12

log 2 2

× ( 10 10 푛 0 2 2 10 15 20 log(1/휖) Precision

Figure 2: (From [7]) Comparison of the bootstrapping util- ity. See Table 2 for the parameters. We plot the results for our best performing parameter set against the state of the Figure 3: The MHE-based MPC protocol art. Nodes are labeled with 푛, the number of plaintext slots, log(푄) − 퐶 is the residual homomorphic capacity (in bits) af- (those that depend on the secret-key), the single-party scheme ter the bootstrapping, and the precision log(1/휖) is defined operations can be directly used in a multi-party setting (and are as the negative log of the mean error across all the slots. non-interactive). The multiparty scheme of Mouchet et al. enables generic 2+2- purposes of the Lattigo library is to support the development of rounds MPC protocols (illustrated in Figure 3) in the passive-adversary, MHE-based MPC protocols. dishonest-majority setting [19]. In the first 2 rounds, the parties run Lattigo implements the scheme of Mouchet et al. [19] for both a PubKeyGen protocol, which is a parallel composition of EncK- BFV and CKKS. We summarize its protocols from a high-level and eyGen, RelinKeyGen and RotKeyGen, to generate the necessary public-key material. This can be done in an off-line phase and only refer the reader to [19] for the scheme details. Let 푃1, ..., 푃푁 be once for a given set of parties and cryptographic parameters. In the 푁 parties holding their respective secret keys sk1,...sk푁 and let ˜ Í푁 next round, the parties provide their inputs, encrypted under the sk = 푖=1 sk푁 . This scheme comprises the following multiparty protocols: generated public-key. The evaluation of the circuit is done using the usual homomorphic operations for the scheme. The last round corresponds to the output phase: Depending on the setting, the EncKeyGen Collective encryption-key generation. parties use either the ColKeySwitch or the PubColKeySwitch to It generates a public encryption-key pk for re-encrypt or decrypt the final result. An interesting feature of the the secret-key sk˜ , in a single round. MHE-MPC protocol is that its transcript is entirely public, so it RelinKeyGen Relinearization-key generation. It gen- does not require private channels between the parties. Hence, in erates a public relinearization-key rlk for addition to the traditional peer-to-peer system-model for MPC, the the secret-key sk˜ , in two rounds. MHE-based protocols can work in cloud-assisted models in which RotKeyGen Rotation-key generation. Given an inte- the parties communicate solely with a central server. ger 푘, it generates a public rotation-key Go is an ideal choice for implementing networked systems and rot enabling homomorphic plaintext-slots 푘 web-services, thanks to its natural concurrency model, rich API rotation by 푘, in a single round. and ease of deployment. Hence, building on these features using ColKeySwitch Collective Key-switching. Given a ci- the Lattigo library makes developing HE-based privacy-preserving ˜ ′ phertext ct and a target secret-key sk , it applications considerably easier. computes the re-encryption of ct from sk˜ to ′ sk˜ , in a single round. A decryption proto- 3 SOFTWARE FEATURES ˜ ′ col is obtained from the special case sk = 0. We provide an overview on the features that distinguish Lattigo PubColKeySwitch Collective Public-key-switching. Given ′ from other homomorphic encryption libraries. Whereas most state- a ciphertext ct and a target public-key pk , of-the-art HE libraries use C++, Lattigo is written in Go. it computes the re-encryption of ct from sk˜ ′ The Go language. The Go language was designed for multi- to pk , in a single round. core, concurrent and networked systems, which makes it ideal for implementing multiparty computation. It features a minimal set of As for several threshold schemes, the multiparty scheme em- fundamental concepts and associated syntax, which makes learn- ulates a single-key setting and preserves the structure of the ci- ing Go easy. The Go run-time is highly efficient and Go programs phertexts and keys. Hence, apart from the above functionalities can match and even outperform C++ programs, if the overhead of 3 WAHC’20, 15 Dec. 2020, Online Christian Mouchet, Jean-Philippe Bossuat, Juan Troncoso-Pastoriza, and Jean-Pierre Hubaux

Table 3: BFV Timings in 휇푠 for 210 ≤ 푑 ≤ 213. Table 5: BFV Timings in 푚푠 for 214 ≤ 푑 ≤ 216 푑 = 211, 퐿 = 1 푑 = 212, 퐿 = 2 푑 = 213, 퐿 = 4 푑 = 214, 퐿 = 8 푑 = 215, 퐿 = 15 푑 = 216, 퐿 = 31 Op Op SEAL Lattigo SEAL Lattigo SEAL Lattigo SEAL Lattigo SEAL Lattigo SEAL Lattigo Encode 29 26 60 55 122 123 Encode 0.2 0.2 0.5 0.5 1.1 1.2 Decode 29 30 73 56 129 112 Decode 0.2 0.2 0.6 0.6 1.2 1.3 Encrypt 803 226 2085 936 5711 2935 Encrypt 18.5 10.5 65.4 39.2 253.5 153.0 Decrypt 110 64 358 284 1374 1251 Decrypt 5.6 5.3 23.5 22.4 115.7 95.6 Add 7 3 28 11 126 46 Add 0.4 0.2 1.7 1.0 7.1 4.5 Mul-Pt 129 90 482 380 2084 1652 Mul-Pt 8.8 7.4 34.1 32.1 149.5 133.2 Mul-Ct 1146 476 3721 2065 14987 9123 Mul-Ct 65.7 44.9 400.3 205.7 2822.6 1186.3 Square 816 368 2693 1569 10918 7234 Square 48.4 35.0 306.8 155.8 2185.1 946.6 KeySwitch -- 775 745 3933 3781 KeySwitch 24.3 24.1 147.0 154.5 1183.8 1235.5

Table 4: CKKS Timings in 휇푠 for 210 ≤ 푑 ≤ 213. Table 6: CKKS Timings in 푚푠 for 214 ≤ 푑 ≤ 216 푑 = 211, 퐿 = 1 푑 = 212, 퐿 = 2 푑 = 213, 퐿 = 4 푑 = 214, 퐿 = 8 푑 = 215, 퐿 = 15 푑 = 216, 퐿 = 31 Op Op SEAL Lattigo SEAL Lattigo SEAL Lattigo SEAL Lattigo SEAL Lattigo SEAL Lattigo Encode 112 103 305 247 854 668 Encode 3.2 1.9 14.3 6.3 58.0 22.9 Decode 63 82 345 174 1385 382 Decode 6.4 0.8 31.7 3.1 230.7 6.5 Encrypt 548 392 1816 1115 5329 3680 Encrypt 19.0 13.0 71.6 50.0 295.7 211.4 Decrypt 18 6 71 27 272 108 Decrypt 1.1 0.4 4.7 2.3 19.2 9.1 Add 7 3 28 10 124 46 Add 0.4 0.2 1.7 0.9 7.2 4.5 Mul-Pt 14 7 52 27 210 126 Mul-Pt 0.8 0.5 3.1 2.2 13.2 9.1 Mul-Ct 45 15 187 61 795 242 Mul-Ct 3.1 1.1 12.0 4.6 49.2 19.4 Square 27 13 124 54 496 224 Square 2.1 0.9 8.4 4.0 35.3 17.1 Rescale -- 203 222 861 857 Rescale 3.6 3.4 14.6 13.8 64.2 65.7 KeySwitch -- 807 731 3927 3619 KeySwitch 23.4 22.8 146.5 143.5 1178.5 1205.8 garbage collection is taken into account. We found that, by imple- optimizations, such as loop-unrolling and pointer arithmetic, to menting allocation-free API methods, this overhead is negligible. obtain performance figures comparable to C++. However, this com- The Go toolchain. As for most modern languages, Go provides plexity is not exposed to the user. The garbage collection introduces a complete toolchain for building programs. In addition to the com- a slight overhead, which can however be reduced to negligible by piler, this toolchain comprises a dependency resolver and integrates writing allocation-free code. unit-tests and benchmarks. This makes Lattigo easy to download, compile, test and benchmark. To simply explore the library and run the examples programs, the 4 PERFORMANCE COMPARISON easiest way is to clone the repository at github.com/ldsec/lattigo. We provide performance benchmarks for the single-party and mul- From the library root directory, example programs can be run using tiparty primitives implemented in Lattigo v2.1.0. We used SEAL the go run command. For example, v3.6 [21] as a baseline for the single-party schemes. All experiments $ go run ./examples/dbfv/psi were conducted single-threaded on an i5-6600k at 3.5 GHz with runs the multiparty-BFV-based PSI example. Benchmarking and 32 GB of RAM running Windows 10. We used Go version 1.14.2 testing Lattigo is equally easy: for building Lattigo and the MSVC++ compiler version 14.28 to $ go test ./... (run all tests) compile the SEAL library and its examples. $ go test ./ckks (ckks tests only) Parameters. We define the benchmarked parameters as the $ go test -run=X -bench=. ./... (run all benchmarks) triplet {푑, 퐿, 훼}, where 푑 is the ring degree, 퐿 is the number of ci- $ go test -run=X -bench=. ./ckks (ckks bench only) phertext moduli (prime factors of 푄) and 훼 is the number of special $ go test -run=X -bench=./Encrypt ./... (encrypt only) primes for the key-switching (prime factors of 푃). These are indeed The Go toolchain also makes it easy to import Lattigo as a depen- the most relevant factors when comparing the library performance, dency. From within the directory of another Go module, running as each individual modulus fits within one machine limb. Both $ go get github.com/ldsec/lattigo/v2 Lattigo and SEAL propose several default parameter sets for 128- $ go test github.com/ldsec/lattigo/v2/... bit security (according to the standardization document [3]) and installs the latest released version of Lattigo as a dependency and varying homomorphic capacity. However, SEAL does not yet sup- runs its unit tests. port the use of multiple moduli in the extended-basis 푃 (it enforces The downsides of Go. The Go compiler, while being constantly 훼 ≤ 1), so the default parameters proposed by Lattigo cannot be improved, is not as mature as C++ compilers. We found that it does directly compared. Hence, we performed our benchmarks with the not optimize arithmetic and does not use SIMD or vectorized in- default parameters of SEAL. We generated custom parameters for structions when available. Hence we implemented several low-level the ring degree 푑 = 216; these parameters use 31 moduli, for an 4 Lattigo: a Multiparty Homomorphic Encryption Library inGo WAHC’20, 15 Dec. 2020, Online equivalent log(푄푃) of 1782 bits. For all parameter sets, we used a Table 7: DBFV Timings [ms]: Total cost per party for gener- number of plaintext slots 푛 = 푑 for BFV and 푛 = 푑/2 for CKKS. ation (Gen), aggregation (Agg) and output (Out) local opera- Results. Tables 3, 4, 5, and 6 summarize the timings of local op- tions. Aggregated over the two rounds for the RelinKeyGen. erations for BFV and CKKS in a single-key setting, along with the Op 푑 = 213 푑 = 214 푑 = 215 corresponding baseline-system timings. We observe that, within Gen 0.77 2.59 10.45 the scope of these benchmarks, it is possible to produce Go crypto- EncKeyGen Agg 0.02 0.08 0.32 graphic code that matches the performance of C++. Out 0.09 0.34 1.28 The timings for the local operations for DBFV are presented in Gen 8.79 30.79 159.48 Table 7 (the timings for DCKKS would be identical). These timings RelinKeyGen Agg 0.25 1.12 6.18 reflect the per-party cost of generating its share in the protocol Out 0.36 1.81 9.72 (Gen), the cost of aggregating two received shares (Agg) and the cost Gen 2.46 8.73 45.24 of computing the protocol output from its transcript (Out). Table 8 RotKeyGen Agg 0.06 0.25 1.53 reports the size of one share, which corresponds to the total amount Out 0.11 0.67 3.88 of data sent by one party in each protocol. For the RelinKeyGen Gen 1.15 4.43 19.31 protocol, the values represent the aggregation between the two ColKeySwitch Agg 0.02 0.06 0.25 rounds. Note that, thanks to the properties of the multiparty scheme, Out 0.02 0.07 0.32 none of these values actually depend on the number of parties 푁 . Gen 3.01 11.98 48.74 Indeed, the system-wide network load and number of calls to the PubColKeySwitch Agg 0.03 0.12 0.55 share aggregation operations (Agg) grows with 푁 and depends Out 0.03 0.12 0.68 on the system model and network topology. We refer the reader to [19] for an analysis of these costs in concrete instances of the MHE-based MPC protocol. Table 8: DBFV Share Sizes [MB]: Total amount sent per party. The good performance of Lattigo can be attributed to the effi- Aggregated over the two rounds for the RelinKeyGen. lattigo/ring ciency of the package , which heavily leverages on 13 14 15 low-level Go-friendly optimizations (e.g. Montgomery and pointer Op 푑 = 2 푑 = 2 푑 = 2 arithmetic, lazy-reduction, loop unrolling) as well as scheme-specific EncKeyGen 0.26 1.05 3.93 high-level algorithmic optimization (e.g, a novel BFV quantization, RelinKeyGen 3.15 12.58 62.91 operation-specific plaintext encoding). RotKeyGen 0.79 3.15 15.73 ColKeySwitch 0.2 0.79 3.15 PubColKeySwitch 0.39 1.57 6.29 5 APPLICATIONS Lattigo has been successfully used in the implementation of complex training and evaluation of several machine learning models, in- application workflows involving both client-server applications and cluding generalized linear models [13] and feed-forward neural large-scale multiparty settings. networks [20]. The systems built with Lattigo are capable of ef- Client-server applications. A paradigmatic case of a secure ficiently scaling up to thousands of parties and achieve ahigh service that works on encrypted sensitive client data was proposed training throughput, while closing the accuracy gap with respect to in the 2019 iDash challenge [2], involving a problem of secure geno- centralized clear-text systems. Examples of its performance include type imputation. Lattigo was used for developing one of the three training a logistic regression model on a dataset of 1 million sam- winning solutions, implementing a multinomial logistic regression ples with 32 features distributed among 160 data providers in less with CKKS-encrypted data, that performs a batch prediction (1,000 than three minutes [13], and training a 3-layer neural network on patients with 80,000 to-be-imputed variants each) in seconds, and the MNIST dataset with 784 features and 60,000 samples distributed has memory requirements and prediction accuracy comparable to among 10 parties in less than 2 hours. clear-text state-of-the-art genotype imputation tools [17]. Lattigo was also used for implementing building blocks for MPC 6 DEMO protocols, such as a passively-secure oblivious linear function evalu- The final part of the presentation is a tutorial demonstrating the ation (OLE) protocol [6]. This protocol generalizes oblivious transfer use of Lattigo for building a simple Doodle-like web-application for to linear functions, and its Lattigo implementation (on top of the privacy-preserving scheduling. The code for this demo is available ring package) is able to evaluate more than 1 million OLEs per at https://github.com/ldsec/lattigo-polls-demo. second over the ring Z푚, for a 120-bit 푚 on standard hardware. Large-scale multi-party applications. The main use-case of Lattigo is the development of multi-party secure protocols where 6.1 Example Web-Application the input confidential data is partitioned among several entities. In this application, we consider a web-service provider and 퐷 clients These entities impose an access structure on the computation re- willing to find an intersection in their availabilities, while revealing sults, by leveraging the MHE solution enabled by Lattigo. The only this intersection to the creator of the poll. We assume that achieved security guarantees are much stronger than traditional the clients will not cheat on their input and that the web-service federated learning approaches, which leak intermediate computa- provider is honest-but-curious (passive adversaries). For the sake of tion results. Lattigo has been used for implementing distributed this demo, we assume that the creator of the poll does not collude 5 WAHC’20, 15 Dec. 2020, Online Christian Mouchet, Jean-Philippe Bossuat, Juan Troncoso-Pastoriza, and Jean-Pierre Hubaux with the web-service provider and we instantiate it in single-key REFERENCES setting. This assumption can be relaxed by using MHE. [1] [n.d.]. The Go Programming Language. http://golang.org The server is a Go program using the net/http package to [2] [n.d.]. IDASH PRIVACY & SECURITY WORKSHOP 2019 - secure genome analysis competition. http://www.humangenomeprivacy.org/2019/ serve the web-application. It implements different routes to create [3] Martin Albrecht, Melissa Chase, Hao Chen, Jintai Ding, Shafi Goldwasser, Sergey the poll, collect the answers and finally compute and serve the Gorbunov, Shai Halevi, Jeffrey Hoffstein, Kim Laine, Kristin Lauter, Satya Lokam, Daniele Micciancio, Dustin Moody, Travis Morrison, Amit Sahai, and Vinod result to the poll creator. Vaikuntanathan. 2018. Homomorphic Encryption Security Standard. Technical The client is a web browser that makes requests to the server Report. HomomorphicEncryption.org, Toronto, Canada. and presents the UI to the user. When loading the page, the client [4] Gilad Asharov, Abhishek Jain, Adriana López-Alt, Eran Tromer, Vinod Vaikun- tanathan, and Daniel Wichs. 2012. Multiparty computation with low communi- fetches and runs a Go executable compiled in WebAssembly (Wasm). cation, computation and interaction via threshold FHE. In Annual International This program exposes procedures that can be called through javascript, Conference on the Theory and Applications of Cryptographic Techniques. Springer, and is used by the browser client to call Lattigo functions. 483–501. [5] Jean-Claude Bajard, Julien Eynard, M Anwar Hasan, and Vincent Zucca. 2016. The protocol. A client creates a new poll by generating a new A full RNS variant of FV like somewhat homomorphic encryption schemes. In key-triple (sk, pk, rlk) and sending a POST /createpoll request International Conference on Selected Areas in Cryptography. Springer, 423–442. ) [6] Carsten Baum, Daniel Escudero, Alberto Pedrouzo-Ulloa, Peter Scholl, and containing pk and rlk . The participants can join this poll by retriev- Juan Ramón Troncoso-Pastoriza. 2020. Efficient Protocols for Oblivious Linear ing the associated pk, encoding their availabilities as binary vector Function Evaluation from Ring-LWE. 130–149. https://doi.org/10.1007/978-3- pt (0 meaning unavailable and 1 meaning available for this option) 030-57990-6_7 [7] Jean-Philippe Bossuat, Christian Mouchet, Juan R. Troncoso-Pastoriza, and and sending a POST //availability containing their Jean Pierre Hubaux. 2019. Efficient Bootstrapping for ApproximateHomomorphic name and ct = Encryptpk (pt). Upon the poll closing by the creator, Encryption with Non-Sparse Keys. In https://eprint.iacr.org/2020/1203. the server computes the product between all submitted ciphertexts, [8] Hao Chen, Ilaria Chillotti, and Yongsoo Song. 2019. Improved bootstrapping for approximate homomorphic encryption. In Annual International Conference on and serves the resulting ciphertext to the poll creator. the Theory and Applications of Cryptographic Techniques. Springer, 34–54. [9] Hao Chen, Wei Dai, Miran Kim, and Yongsoo Song. 2019. Efficient multi-key 6.2 Hands-On Tutorial homomorphic encryption with packed ciphertexts with application to oblivious neural network inference. In Proceedings of the 2019 ACM SIGSAC Conference on During the tutorial, we will review the Go code for the server and Computer and Communications Security. 395–412. client and their respective use of the Lattigo library. Thanks to Go’s [10] Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim, and Yongsoo Song. 2018. A full RNS variant of approximate homomorphic encryption. In Interna- rich API and simplicity, the whole application requires less than tional Conference on Selected Areas in Cryptography. Springer, 347–368. 300 lines of Go code. We will also show how the client program [11] Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song. 2017. Homo- can be called by the client through Javascript. Finally, we will show morphic encryption for arithmetic of approximate numbers. In International Conference on the Theory and Application of Cryptology and Information Security. a complete polling scenario, from the client (browser window) and Springer, 409–437. server (terminal output) perspectives. [12] Junfeng Fan and Frederik Vercauteren. 2012. Somewhat Practical Fully Homo- morphic Encryption. In https://eprint.iacr.org/2012/144. [13] David Froelicher, Juan R. Troncoso-Pastoriza, Apostolos Pyrgelis, Sinem Sav, 7 CONCLUSIONS & ON-GOING WORK Joao Sa Sousa, Jean-Philippe Bossuat, and Jean-Pierre Hubaux. 2020. Scalable Privacy-Preserving Distributed Learning. arXiv:2005.09532 [cs.CR] This demo presents the Lattigo library, a multiparty homomorphic [14] Shai Halevi, Yuriy Polyakov, and Victor Shoup. 2019. An improved RNS variant encryption library written in Go. Lattigo greatly facilitates the of the BFV homomorphic encryption scheme. In Cryptographers’ Track at the RSA Conference. Springer, 83–105. development of new HE- and MHE-applications, by enabling the [15] Kyoohyung Han and Dohyeong Ki. 2020. Better bootstrapping for approxi- use of these primitives in a modern language: Go. By considerably mate homomorphic encryption. In Cryptographers’ Track at the RSA Conference. reducing the development time of such applications, Lattigo can be Springer, 364–390. [16] Duhyeong Kim and Yongsoo Song. 2019. Approximate Homomorphic Encryption a catalyst in both the cryptography research and the adoption of over the Conjugate-Invariant Ring. In Information Security and Cryptology – ICISC HE in real systems. Our ongoing work comprises: 2018, Kwangsu Lee (Ed.). Springer International Publishing, Cham, 85–102. [17] Miran Kim, Arif Harmanci, Jean-Philippe Bossuat, Sergiu Carpov, Jung Hee Fully-Threshold MHE. When the number of parties 푁 is large, Cheon, Ilaria Chillotti, Wonhee Cho, David Froelicher, Nicolas Gama, Mariya the risk of one party going offline for an indeterminate amount of Georgieva, Seungwan Hong, Jean-Pierre Hubaux, Duhyeong Kim, Kristin time can become an issue. By relaxing the threshold to 푇 -out-of-푁 Lauter, Yiping Ma, Lucila Ohno-Machado, Heidi Sofia, Yongha Son, Yong- soo Song, Juan Troncoso-Pastoriza, and Xiaoqian Jiang. 2020. Ultra-Fast (푇 < 푁 ), this risk can be mitigated. Full-threshold variants of BFV Homomorphic Encryption Models enable Secure Outsourcing of Geno- and CKKS are implemented in a development branch of Lattigo. type Imputation. bioRxiv (2020). https://doi.org/10.1101/2020.07.02.183459 Real-CKKS. Although the CKKS scheme encrypts complex arXiv:https://www.biorxiv.org/content/early/2020/07/04/2020.07.02.183459.full.pdf [18] Adriana López-Alt, Eran Tromer, and Vinod Vaikuntanathan. 2012. On-the-fly numbers, most of its applications only use the real part of the multiparty computation on the cloud via multikey fully homomorphic encryption. plaintexts. Hence, only half of the homomorphic capacity is effec- In Proceedings of the forty-fourth annual ACM symposium on Theory of computing. 1219–1234. tively used. Kim and Song proposed a variant of CKKS that encrypts [19] Christian Mouchet, Juan R. Troncoso-Pastoriza, Jean-Philippe Bossuat, and 푑 real numbers [16]. This scheme is implemented in a development Jean Pierre Hubaux. 2019. Multiparty Homomorphic Encryption: From The- branch of Lattigo. ory to Practice. In https://eprint.iacr.org/2020/304. [20] Sinem Sav, Apostolos Pyrgelis, Juan R. Troncoso-Pastoriza, David Froelicher, Lattigo-Cloud/Lattigo-MP. Two generic network-layers im- Jean-Philippe Bossuat, Joao Sa Sousa, and Jean-Pierre Hubaux. 2020. plementing the MHE-based MPC protocol are currently in devel- POSEIDON: Privacy-Preserving Federated Neural Network Learning. opment. They provide the network and service layers for both the arXiv:2009.00349 [cs.CR] [21] SEAL 2020. SEAL (release 3.6). https://github.com/Microsoft/SEAL. cloud-based (client+server) and peer-to-peer (client) settings. , Redmond, WA.

ACKNOWLEDGMENTS This work is partly funded by grant #2017-201 (DPPH) of the PHRT. 6